Import users from AD using SCIM

We need to import users from AD and since the bridge server will be decommissioned from December this year.

We will need to use the SCIM implementation as mentioned in the Purecloud resource center.

However we require some clarity on some JSON fields as per the below:

"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"externalId":"bjensen",

What do we need to get from the customers side in regards to importing users i.e. LDAP query, OrgID.

Also is there any other documentation in regards to the SCIM import of users?

apart from this link: https://developer.mypurecloud.com/api/rest/v2/scim/scim-overview.html

We intend to get documents published with many details and pertinent suggestions about implementation.
Here is some info that should help you get started and understand more about what is going on.

An example PureCloud SCIM record for a user. This should help clarify some of the values. This is from a GET /scim/v2/Users/d2ac184e-4733-41e9-8a45-3459e1efd8c7

{
"id": "d2ac184e-4733-41e9-8a45-3459e1efd8c7",
"displayName": "--campaignUser0, Bob",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"active": true,
"userName": "--campaignUser0@example.com",
"title": "MyTitle2",
"phoneNumbers": [
{
"value": "+13177023406",
"type": "work",
"primary": true
},
{
"value": "+33222222222",
"type": "work2",
"primary": false
}
],
"emails": [
{
"value": "--campaignUser0@example.com",
"type": "other",
"primary": true
}
],
"meta": {
"resourceType": "User",
"lastModified": "2019-04-09T19:36:50.000Z",
"location": "/api/v2/scim/v2/users/d2ac184e-4733-41e9-8a45-3459e1efd8c7",
"version": "56"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"division": "KristenDivision2",
"department": "Department"
}
}
Response Headers:
ETag →"56"
ININ-Correlation-Id →b4791acb-014e-4daa-92db-99dd9e9e4d9d
inin-ratelimit-count →7
inin-ratelimit-allowed →200
inin-ratelimit-reset →4
Strict-Transport-Security →max-age=600; includeSubDomains
Cache-Control →no-cache, no-store, must-revalidate
Pragma →no-cache
Expires →0
Content-Type →application/scim+json
Date →Fri, 12 Apr 2019 14:16:49 GMT
Content-Length →761
There are some important things to note about the response headers.

1. Etag is the version. It may be used with if-match, and if-none-match headers on PUT and GETs.
2. Content type is application/scim+json
3. ININ Correlation ID is a good thing to keep in any audit trails because PureCloud support and DEV and track that back to errors in our system logs and audits.
4. There are rate limits for the API. The inin-limit-* headers will indicate the rate limit, the current count, and how many seconds to reset. API will return a 429 if over limit, and theses values will indicate how long to wait until API calls are allowed.

The Rate Limits are one reason that an integration MUST be well behaved and not do brute force updates of all users or frequent scans of all users.

Also related to performance GET of users is restricted in how many users will be returned.

Creating a user (POST) VIA SCIM requires the following SCIM fields:

1. userName,, the unique identifier for user in PureCloud, and must be a unique email address. From AD we usually use user-PrincipleName
2. displayName
   Any other user attribute may also be set with the POST.

Enterprise user manager is supported, but must be the PureCloud/SCIM User.id.

The externalId currently is not supported, but will be added. It is the ID used in the external system, and will allow /scim/v2/User?filter=externalId eq {externalId} searches to look for users that were created with externalIds. The value is not directly used by PureCloud.

The emails type "other" is a read only value because it is automatically created from the userName.
Additional email types are 'work'.
Phone number types are "work", "work2", "work3", "work4", "home", "mobile".

Hi Greg

Thank you for the feedback.

Do you by any chance know the timeframe when the documentation will be released.

Thank you for the above example, but is there anyway to do this for a bulk amount of users. As it looks like the above is entering a user manually via the API.

Is there no way we are able to import all the users from AD

SCIM is not intended to be an import tool. It is an interface for setting up an active sync. Bulk import tools are part of the provisioning interfaces for setting up the account. I don't work with those but I think there is a mechanism for importing from CSV. Does that sound more like what you want?

Theolan,

As our SCIM implementation becomes available, there will be additional documentation in the PureCloud resource center and developer center that will outline its usage.

In several cases there will be bespoke integrations available in the "App Store" of various providers (initial targets are Azure AD, OneLogin, Google G Suite, etc.) that should provide a relatively simple workflow to stand up user synchronization. In the case of these providers, the "app" will include a default configuration that covers the majority of attributes supported by PureCloud and a default mapping to attributes within the identity provider; the main point of configuration will be the creation of an oauth client within your PureCloud organization and providing that client information to the app in the identity provider. there will be corresponding documentation for each of these bespoke apps in the PureCloud resource center to assist with this configuration, as well as a release note that links to said documentation when it is available.

These bespoke apps will provide active management of users within PureCloud (similar to the existing bridge connectors); creating, modifying, or deleting users based on their state changes within the identity provider's data set.

Please let me know if there are additional questions you might have.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.